ipsec-tools 0.6.4 from ports Important error messages are logged at level 'daemon.info'. However the default /etc/syslog.conf in FreeBSD discards all such messages, and there's no warning that you need to change anything. As a result, you get a lot of strange debug messages in /var/log/debug.log, but not the important messages which tell you the actual problem. Fix: In plog.c, the syslog messages are mapped as follows: { "INFO", LOG_INFO, }, { "NOTIFY", LOG_INFO, }, { "WARNING", LOG_INFO, }, { "ERROR", LOG_INFO, }, { "DEBUG", LOG_DEBUG, }, { "DEBUG2", LOG_DEBUG, }, and also the facility is hardcoded to 'daemon': openlog(pname, LOG_NDELAY, LOG_DAEMON); but the default /etc/syslog.conf does not match daemon.info at all: *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog So some solutions might be: (1) Patch racoon to change LOG_INFO to LOG_NOTICE or above (2) Patch racoon to change LOG_DAEMON to LOG_SECURITY (3) Change the base system syslog.conf to include daemon.info /var/log/daemon (4) The port postinstall script to add a line like the above to syslog.conf if required (5) Install /usr/local/share/doc/ipsec-tools/README.syslog documenting this problem, and include a big asterisked warning in pkg-descr and display it at port install time Choice between these five bikesheds is left to the reader, but I don't think the current situation is desirable. How-To-Repeat: Example: set up racoon with world-read permissions on psk.txt. The only problem reports you see are cryptic messages in /var/log/debug.log which say Dec 29 08:36:19 candlerb racoon: DEBUG: an undead schedule has been deleted. Dec 29 08:36:19 candlerb racoon: DEBUG: === Dec 29 08:36:19 candlerb racoon: DEBUG: 68 bytes message received from 192.168.1.200[500] to 192.168.1.100[500] Dec 29 08:36:19 candlerb racoon: DEBUG: 1103a42a 7a3e5e0d 3c390faf 1c8e4a96051 00201 00000000 00000044 4ccc8164 6c301245 fb14f82f 04bceecd 7cdedfba 30c1a596 85cc072e e9c66978 14255c94 67d31786 Dec 29 08:36:19 candlerb racoon: DEBUG: malformed cookie received or the spi expired. To see the underlying problem you have to run racoon in the foreground (-F) or change syslog.conf, at which point you see 2005-12-29 09:52:38: ERROR: /usr/local/etc/racoon/psk.txt has weak file permission 2005-12-29 09:52:38: ERROR: failed to open pre_share_key file /usr/local/etc/racoon/psk.txt 2005-12-29 09:52:38: ERROR: couldn't find the pskey for 192.168.1.200. 2005-12-29 09:52:38: ERROR: failed to process packet. 2005-12-29 09:52:38: ERROR: phase1 negotiation failed. 2005-12-29 09:52:38: DEBUG: an undead schedule has been deleted. 2005-12-29 09:52:38: DEBUG: === ... etc
State Changed From-To: open->feedback Awaiting maintainers feedback
Hi. For that specific file permission problem, this is documented in racoon.conf's man page.... However, sending syslogs to /dev/null (well, that's the result...) by default is not a good idea for such a daemon ! The best (and quicker) short term solution is probably to patch racoon to use LOG_SECURITY instead of LOG_DAEMON, here is a quick patch for that (ready to insert in port's files dir). But be careful about setting racoon in debug mode after that, you may really have *lots* of messages then !!! A better mid-term solution will probably be to allow such parameters to be configured in racoon.conf, I'll do that for a futur major version (0.7 ?) of ipsec-tools. I'll also try to improve racoon's reaction when having such a weak psk file (send a more explicit message in debug ? refuse to start ? read anyways the file but send explicit warnings ?). Yvan. -- NETASQ - Secure Internet Connectivity http://www.netasq.com
On Fri, Dec 30, 2005 at 11:34:42AM +0100, VANHULLEBUS Yvan wrote: > I'll also try to improve racoon's reaction when having such a weak psk > file (send a more explicit message in debug ? refuse to start ? read > anyways the file but send explicit warnings ?). Duplicating all ERRORs at DEBUG level is another option I hadn't considered, but seems rather wasteful. I have no issue with the quality of error messages produced by racoon - in fact they're excellent. The problem was simply that I couldn't see them :-) I don't think making 'weak psk security' errors a special case is the solution. Rather, I think it's necessary to make _all_ error messages properly visible. Regards, Brian. P.S. another option: make the ipsec-tools port log errors to a file by default, rather than syslog, by appropriate choice of default racoon_flags.
State Changed From-To: feedback->open Maintainer sent a patch
Responsible Changed From-To: freebsd-ports-bugs->vd I will take it
State Changed From-To: open->closed Committed, thanks!